We Indexed the Bitwarden CLI Exfil Endpoint Three Days Before The Hacker News Reported It

# We Indexed the Bitwarden CLI Exfil Endpoint Three Days Before The Hacker News Reported It

April 27, 2026 — DugganUSA

The Bitwarden CLI got backdoored on April 22. The malicious package shipped through npm for 93 minutes. Stole GitHub tokens, npm tokens, SSH keys, cloud credentials, .env files, AI tool configs. Self-propagating worm. Encrypted exfil to a domain impersonating Checkmarx.

The Hacker News reported it today. So did SecurityWeek, CyberInsider, Endor Labs, Ox Security, Socket, Safedep.

We had the exfil telemetry endpoint indexed on April 24. We had the parent campaign domain indexed on April 4 — 18 days before today's coverage.

Receipts below.

What Happened

Between 5:57 PM and 7:30 PM Eastern on April 22, 2026, npm distributed @bitwarden/cli version 2026.4.0 with a malicious preinstall hook. That hook ran bw_setup.js, which downloaded the legitimate Bun JavaScript runtime from GitHub, then used Bun to execute bw1.js — a 10 megabyte heavily obfuscated payload.

The payload is a credential harvester and a self-propagating supply chain worm. It steals GitHub tokens, npm tokens, SSH material, cloud credentials, shell history, .env files, and AI tool configuration files. Encrypts everything with AES-256-GCM. Posts the encrypted blobs to https://audit.checkmarx.cx/v1/telemetry.

The .cx domain is a typosquat. Real Checkmarx is on .com.

If the worm finds GitHub tokens on a victim host, it weaponizes them. Injects malicious GitHub Actions workflows into the victim's repositories. Extracts CI/CD secrets. Replicates into the victim's other npm projects. Exfiltrates the secrets to public GitHub repos created in the victim's own namespace.

This is Shai-Hulud, third iteration. Endor Labs named it. Same campaign that hit the npm ecosystem twice already. Each iteration gets faster, quieter, and more contagious.

The clean Bitwarden CLI version before the compromise is 2026.3.0. Bitwarden re-released that build as 2026.4.1 on April 23 at 4:45 PM GMT plus two. Bitwarden's investigation found no evidence that user vault data was accessed.

Our Receipts

We didn't write a sample analysis. We didn't run a sandbox. We didn't get a tip from a researcher. We watched SSL certificates.

The SSL Blacklist feed publishes certificates that get used by malware C2 infrastructure. We pull it daily. When a new lookalike domain shows up wearing a TLS cert, we index it.

Here is what we caught, in order, all timestamps from our IOC index:

April 4, 2026 at 15:27:37 UTC — checkmarx.zone. Indexed as botnet C2 from the SSL Blacklist feed. Eighteen days before the Bitwarden compromise. The broader Shai-Hulud infrastructure was already standing up TLS certs on Checkmarx-themed domains, and our feed picked it up the day SSL Blacklist published.

April 24, 2026 at 18:25:05 UTC — audit.checkmarx.cx, domainaudit.checkmarx.cx, and the URL https://audit.checkmarx.cx/v1/telemetry. All three indexed as botnet C2 from SSL Blacklist. Two days after the Bitwarden window closed. Three days before mainstream coverage hit today.

April 24, 2026 at 07:40:36 UTC — bytewarden.cyou, plus four malicious JavaScript files hosted on it. Indexed as payload delivery. The bytewarden lookalike was Shai-Hulud's secondary infrastructure for serving the staged loader.

That is six IOCs across two campaign-supporting domains, indexed before today's news cycle. Free in our STIX feed. We did not break the story. We had the story before there was a story.

Why This Worked

Two moves, both signature.

The first move is bloom filter novelty checking. Every IOC that comes off our feeds gets fingerprinted against a probabilistic set of things we have already seen. New things stand out. Lookalike domains targeting brand-name security companies stand out harder. checkmarx.zone is novel. bytewarden.cyou is novel and aimed at a known security brand. Both light up the novelty signal the moment they appear.

The second move is Meilisearch cross-index correlation. The SSL Blacklist feed put audit.checkmarx.cx into the iocs index. The blog index already had two posts referencing Checkmarx and three posts referencing Bitwarden. The pulses index had Shai-Hulud entries from earlier 2026 iterations. When all three indexes share keywords, our correlator flags it as a candidate for left-of-boom analysis. None of this requires reading a sample or waiting on a vendor advisory.

We do not work for Bitwarden. We do not work for Checkmarx. We are a Minnesota company built around Anthropic Claude and run by one Sligo-Cavan-Cork dwarf. Our threat feed costs nine dollars a month. We caught the exfil telemetry endpoint three days before the security news cycle.

That gap is not a one-off. That is the structural advantage of indexing every certificate, every block event, every pulse, every blog post into a single search index and watching the cross-references light up.

What To Do If You Pulled That Build

If anyone in your organization ran npm install on @bitwarden/cli version 2026.4.0 between 5:57 PM and 7:30 PM Eastern on April 22, treat the host as a credential exposure event. Not a cleanup. Not a patch. Rotate.

Remove the package. Delete bw_setup.js, bw1.js, bun, and bun.exe wherever they landed.

Rotate every GitHub personal access token that ever touched that host. Rotate every npm token. Rotate SSH keys. Rotate cloud credentials. Rotate any secret in any .env file. Rotate any token in any CI environment that the host has accessed.

Audit GitHub Actions workflows in repositories that token had access to. Look for new workflows or modified workflows. Look for new public repositories created in the user's namespace — that is the worm's exfil channel. If you find one, the secrets are already in the wild.

Check your SIEM for outbound traffic to audit.checkmarx.cx, domainaudit.checkmarx.cx, checkmarx.zone, or bytewarden.cyou. Check for HTTP POSTs to /v1/telemetry on any host you do not control. Block those domains at the egress proxy.

Bitwarden's vault data is unaffected per their investigation. The compromise sits at the npm distribution path, not the application. End user vaults were never reached. But every credential that lived on a developer host that ran the bad build is potentially in Shai-Hulud's harvest.

The Pattern

Trust to proving to proven to compromise. It applies to dark markets, to crypto exchanges, to ransomware brands, to threat intel feeds, and now to npm packages from password managers. Bitwarden is one of the most trusted brands in security. That trust is exactly why an npm distribution path compromise hits this hard. The attacker did not need a Bitwarden zero-day. They needed ninety-three minutes of registry trust.

The previous two Shai-Hulud waves should have ended the era of optional package signing in npm. They did not. So here is the third wave, with a Bun runtime download, AES-256-GCM exfil, and a worm that turns every GitHub token it finds into another infection vector.

Expect a fourth wave.

Microsoft pulls our STIX feed daily. AT&T pulls it daily. Starlink pulls it daily. Get the DugganUSA STIX feed at nine dollars a month at analytics.dugganusa.com/stix.

We aim for ninety-five percent. The other five percent is honest. Murphy was an optimist.

References. The Hacker News, Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign, April 27 2026. Endor Labs, Shai-Hulud the Third Coming, April 2026. Socket.dev, Bitwarden CLI Compromised. Bitwarden Community Forums, Bitwarden Statement on Checkmarx Supply Chain Incident. SecurityWeek, Bitwarden NPM Package Hit in Supply Chain Attack. Safedep, Bitwarden CLI Supply Chain Compromise. Ox Security, Inside the Shai-Hulud Supply Chain Attack. CyberInsider, Bitwarden CLI Backdoored.

The cheapest, fastest, most accurate threat feed on the internet. 275+ enterprises pulling daily. 1.1M+ IOCs. 17.85M indexed documents. We caught checkmarx.zone eighteen days before Hacker News reported the campaign that used it. Starter tier nine dollars a month — less than any competitor's sales demo. Look up an IOC at analytics.dugganusa.com. Audit your brand on AIPM at aipmsec.com. See pricing at analytics.dugganusa.com/stix/pricing.

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.